Google published yesterday a list of 42 smartphone models from 12 vendors that run up-to-date Android OS versions with the latest security patches applied.

The list is meant to help boost sales for the listed models as a reward for vendors who focused on providing their customers with the security patches Google puts out each month via its Android Security Bulletin.

The table below includes all smartphone models that run a security update from the last two months:

Besides the table above, Google said there are also over 100 smartphone models that run an Android version with a security patch from the last 90 days (three months). Despite this, the vast majority of today's smartphones run outdated versions of the Android OS.

Google quadruples reward for TrustZone or Verified Boot RCE

Furthermore, Google announced it would be paying an insane amount of money to researchers who deliver two types of bug reports.

$200,000 to any security researcher who files a bug report for a remote exploit chain or exploit leading to TrustZone or Verified Boot compromise. Google was previously paying $50,000 for this type of bug report.

$150,000 to any security researcher who files a bug report for a remote kernel exploit. Google was previously paying $30,000 for this type of bug report.

The increase of this reward comes after a failed contest organized last year. In September 2016, Project Zero, a division of the Google security team specialized in finding zero-days, announced a contest that would have paid $200,000 (first place), $100,000 (second place), and $50,000 (third place) for a full exploit chain that would compromise Android devices.

The contest was so hard that no researcher submitted any bug reports, albeit some told Google they were working on it.

Google paid $1.5M+ for Android bug reports in the last 2 years

In addition to the increase of bug report payouts for the above two vulnerability types, Google also released details about its Android bug bounty program, known as the Android Security Rewards program.

According to the company, after two years, they've paid out over $1.5 million in rewards to 115 individuals (or security teams) for 450 valid vulnerability reports.

On average, the company paid $2,150 per successful bug report and $10,209 per researcher. The top earner is C0RE Team, who earned over $300,000 for 118 vulnerability reports.

Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at campuscodi@xmpp.is. For other contact methods, please visit Catalin's author page.